Project policy

core2/go.mod

@@ -50,7 +50,7 @@ require (
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect

core2/go.sum

@@ -56,8 +56,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
-github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=

core2/pkg/accounting/00_module.go

@@ -43,6 +43,9 @@ func Init() {
 	initGrantsExport()
 	times["GrantsExport"] = t.Mark()
 
+	initPolicySubscriptions()
+	times["PolicySubscriptions"] = t.Mark()
+
 	coreutil.PrintStartupTimes("Accounting", times)
 
 	if util.DevelopmentModeEnabled() {

core2/pkg/accounting/accounting.go

@@ -28,6 +28,9 @@ func initAccounting() {
 	go accountingProcessTasks()
 
 	accapi.RootAllocate.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[accapi.RootAllocateRequest]) (fndapi.BulkResponse[fndapi.FindByStringId], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.BulkResponse[fndapi.FindByStringId]{}, util.HttpErr(http.StatusForbidden, "Client IP is not allowed by project")
+		}
 		var result []fndapi.FindByStringId
 		for _, reqItem := range request.Items {
 			id, err := RootAllocate(info.Actor, reqItem)
@@ -41,6 +44,9 @@ func initAccounting() {
 	})
 
 	accapi.UpdateAllocation.Handler(func(info rpc.RequestInfo, request fndapi.BulkRequest[accapi.UpdateAllocationRequest]) (util.Empty, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not allowed by project")
+		}
 		return UpdateAllocation(info.Actor, request.Items)
 	})
 
@@ -58,6 +64,9 @@ func initAccounting() {
 	})
 
 	accapi.WalletsBrowse.Handler(func(info rpc.RequestInfo, request accapi.WalletsBrowseRequest) (fndapi.PageV2[accapi.WalletV2], *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return fndapi.PageV2[accapi.WalletV2]{}, util.HttpErr(http.StatusForbidden, "Client IP is not allowed by project")
+		}
 		return WalletsBrowse(info.Actor, request), nil
 	})
 

core2/pkg/accounting/grants.go

@@ -2056,14 +2056,23 @@ func initGrants() {
 
 	if !grantGlobals.Testing.Enabled {
 		accapi.GrantsBrowse.Handler(func(info rpc.RequestInfo, request accapi.GrantsBrowseRequest) (fndapi.PageV2[accapi.GrantApplication], *util.HttpError) {
+			if sourceIPisRestricted(info) {
+				return fndapi.PageV2[accapi.GrantApplication]{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+			}
 			return GrantsBrowse(info.Actor, request), nil
 		})
 
 		accapi.GrantsRetrieve.Handler(func(info rpc.RequestInfo, request fndapi.FindByStringId) (accapi.GrantApplication, *util.HttpError) {
+			if sourceIPisRestricted(info) {
+				return accapi.GrantApplication{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+			}
 			return GrantsRetrieve(info.Actor, request.Id)
 		})
 
 		accapi.GrantsSubmitRevision.Handler(func(info rpc.RequestInfo, request accapi.GrantsSubmitRevisionRequest) (fndapi.FindByStringId, *util.HttpError) {
+			if sourceIPisRestricted(info) {
+				return fndapi.FindByStringId{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+			}
 			id, err := GrantsSubmitRevision(info.Actor, request)
 			if err != nil {
 				return fndapi.FindByStringId{}, err
@@ -2086,6 +2095,9 @@ func initGrants() {
 		})
 
 		accapi.GrantsPostComment.Handler(func(info rpc.RequestInfo, request accapi.GrantsPostCommentRequest) (fndapi.FindByStringId, *util.HttpError) {
+			if sourceIPisRestricted(info) {
+				return fndapi.FindByStringId{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+			}
 			id, err := GrantsPostComment(info.Actor, request)
 			if err != nil {
 				return fndapi.FindByStringId{}, err
@@ -2095,6 +2107,9 @@ func initGrants() {
 		})
 
 		accapi.GrantsDeleteComment.Handler(func(info rpc.RequestInfo, request accapi.GrantsDeleteCommentRequest) (util.Empty, *util.HttpError) {
+			if sourceIPisRestricted(info) {
+				return util.Empty{}, util.HttpErr(http.StatusForbidden, "Client IP is not accepted by project")
+			}
 			return util.Empty{}, GrantsDeleteComment(info.Actor, request)
 		})
 

core2/pkg/accounting/grants_export.go

@@ -2,6 +2,7 @@ package accounting
 
 import (
 	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
@@ -14,10 +15,16 @@ import (
 
 func initGrantsExport() {
 	accapi.GrantsExport.Handler(func(info rpc.RequestInfo, request util.Empty) ([]accapi.GrantsExportResponse, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return nil, util.HttpErr(http.StatusForbidden, "Client IP is not allowed by project")
+		}
 		return GrantsExportBrowse(info.Actor), nil
 	})
 
 	accapi.GrantsExportCsv.Handler(func(info rpc.RequestInfo, request util.Empty) (accapi.GrantsExportCsvResponse, *util.HttpError) {
+		if sourceIPisRestricted(info) {
+			return accapi.GrantsExportCsvResponse{}, util.HttpErr(http.StatusForbidden, "Client IP is not allowed by project")
+		}
 		csv := GrantsExportBrowseToCsv(GrantsExportBrowse(info.Actor))
 		return accapi.GrantsExportCsvResponse{
 			FileName: "grants.csv",

core2/pkg/accounting/policy_cache.go

@@ -0,0 +1,107 @@
+package accounting
+
+import (
+	"context"
+	"net"
+	"sync"
+
+	"ucloud.dk/core/pkg/coreutil"
+	db "ucloud.dk/shared/pkg/database"
+	fndapi "ucloud.dk/shared/pkg/foundation"
+	"ucloud.dk/shared/pkg/log"
+	"ucloud.dk/shared/pkg/rpc"
+	"ucloud.dk/shared/pkg/util"
+)
+
+// policyCache is a mapping of projectId -> map[schemaName] -> PolicySpecification
+var policyCache struct {
+	Mu                sync.RWMutex
+	PoliciesByProject map[string]map[string]*fndapi.PolicySpecification
+}
+
+func initPolicySubscriptions() {
+
+	policyCache.Mu.Lock()
+	policyCache.PoliciesByProject = make(map[string]map[string]*fndapi.PolicySpecification)
+	policyCache.Mu.Unlock()
+
+	go func() {
+		policyUpdates := db.Listen(context.Background(), "policy_updates")
+		policyDeletes := db.Listen(context.Background(), "policy_deleted")
+
+		var projectId string
+		var policySpecifications map[string]*fndapi.PolicySpecification
+		var policiesOk bool
+
+		for {
+			select {
+			case projectId = <-policyUpdates:
+				db.NewTx0(func(tx *db.Transaction) {
+					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+				})
+			case projectId = <-policyDeletes:
+				db.NewTx0(func(tx *db.Transaction) {
+
+					policySpecifications, policiesOk = coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+				})
+			}
+
+			if policiesOk {
+				updatePolicyCacheForProject(projectId, policySpecifications)
+			}
+		}
+
+	}()
+}
+
+// policiesByProject returns mapping of [schema Name] => PolicySpecification. If no policy is cached for the project it
+// will attempt to retrieve it from DB. This is also how it is populated.
+func policiesByProject(projectId string) map[string]*fndapi.PolicySpecification {
+	projectPolicies := map[string]*fndapi.PolicySpecification{}
+	policyCache.Mu.Lock()
+	projectPolicies, ok := policyCache.PoliciesByProject[projectId]
+	if !ok {
+		log.Debug("No policies for project %v", projectId)
+		db.NewTx0(func(tx *db.Transaction) {
+			policySpecifications, policiesOk := coreutil.PolicySpecificationsRetrieveFromDatabase(tx, projectId)
+			if policiesOk {
+				policyCache.PoliciesByProject[projectId] = policySpecifications
+			} else {
+				log.Debug("No policies for project %v found in DB", projectId)
+			}
+		})
+	}
+	policyCache.Mu.Unlock()
+
+	return projectPolicies
+}
+
+func updatePolicyCacheForProject(projectId string, policySpecifications map[string]*fndapi.PolicySpecification) {
+	policyCache.Mu.Lock()
+	policyCache.PoliciesByProject[projectId] = policySpecifications
+	policyCache.Mu.Unlock()
+}
+
+func sourceIPisRestricted(info rpc.RequestInfo) bool {
+	if info.Actor.Project.Present {
+		sourceIpSpecs, hasSourceRestriction := policiesByProject(info.Actor.Project.String())[fndapi.RestrictSourceIPRange.String()]
+		if hasSourceRestriction {
+			isRestricted := true
+			for _, property := range sourceIpSpecs.Properties {
+				if property.Name == "allowedClientSubnets" {
+					allowedIps := property.Text
+					if allowedIps == "" {
+						break
+					}
+					_, subnet, _ := net.ParseCIDR(allowedIps)
+					ip := net.ParseIP(util.ClientIP(info.HttpRequest).String())
+					if subnet.Contains(ip) {
+						isRestricted = false
+					}
+				}
+			}
+			return isRestricted
+		}
+	}
+	return false
+}